For TPRM Teams
Aegisnode scans any vendor's external attack surface in under 2 seconds — open ports, certificate issues, DNS misconfigurations, breach exposure, and more. No questionnaire. No waiting. No vendor cooperation required.
TPRM teams use Aegisnode to verify vendor claims before the assessment begins, identify gaps before the questionnaire goes out, and cut weeks of back-and-forth into minutes of actual intelligence.
Free scan — 8 categories — results in under 2 seconds. No account required.
The TPRM Reality
Here is what a standard vendor security assessment actually looks like:
You identify a new vendor. You send a questionnaire — maybe a SIG Lite, maybe your own template. You wait. You follow up. You wait more. Four weeks later, you receive a spreadsheet filled out by the vendor's sales team. Every control is marked "Yes." Every policy is listed as "In place." You have no way to verify a single answer.
You accept the risk, document your review, and move on. Your board reports that you have a TPRM program. Your vendors report that they're compliant. And no one has looked at the external attack surface.
This is not a process failure. This is the design of traditional vendor risk management. It was built around documentation, not verification. Around self-attestation, not evidence. Around questionnaires, not external signals.
The questionnaire tells you what a vendor wants you to believe. The external attack surface tells you what's actually true.
Aegisnode reads the attack surface. It doesn't wait for the vendor to cooperate.
"75% of vendors either do not answer security questionnaires or fail to do so in a timely manner."— Third-Party Risk Management research, 2025
The Transformation
Monday: A new vendor enters your pipeline. You create an assessment record, draft a questionnaire, and send it to your vendor contact. You note the estimated turnaround: 3–4 weeks. You add it to your tracker.
Week 2: No response. You send a follow-up email. Your vendor contact says they've forwarded it to their security team.
Week 4: The questionnaire comes back. 200 questions. Every control is marked "Yes" or "Compliant." You have three open questions that weren't answered. You send another follow-up.
Week 5: The assessment is finalized. You rate the vendor "Medium Risk" based on self-reported data you cannot independently verify. You document the risk acceptance and move on.
The result: Five weeks. One data source. Zero external verification. And seventeen other vendors still in your queue.
Monday, 9:04 AM: A new vendor enters your pipeline. You enter their domain into Aegisnode. In under 2 seconds, you have external scan results across 8 risk categories — open ports, certificate validity, DNS configuration, breach data, web security headers, and more.
Monday, 9:06 AM: You notice the vendor's certificate expired last month and there are three open ports that shouldn't be public-facing. You have specific, verifiable questions to ask before the questionnaire even goes out.
Monday, 9:30 AM: You send a targeted questionnaire — not 200 generic questions, but 12 specific questions about the gaps Aegisnode surfaced. The vendor has context. They respond in three days.
Week 2: Assessment complete. Risk rating based on external evidence plus vendor response. No guesswork. No waiting. Documented and defensible.
The result: Nine business days. External + self-reported data cross-referenced. Gaps identified before the assessment started. And you've already scanned four other vendors in the same time.
Aegisnode doesn't replace your assessment process. It gives you a head start — with data the vendor can't edit.
By the Numbers
| Category | Traditional TPRM | Aegisnode |
|---|---|---|
| Time to first data | 2–6 weeks (questionnaire dependent) | Under 2 seconds |
| Data source | Vendor self-attestation | External scan — no vendor input required |
| Cost per assessment | $0 direct + hours of analyst time, or $300–$2,500/vendor/year for enterprise platforms | $0 free scan · $79 one-time report · $99/mo for ongoing monitoring |
| Verification method | Trust and documentation review | Live external data — open ports, certificates, DNS, breach records |
| Coverage depth | What the vendor chooses to disclose | 8 external risk categories, continuously updated |
| Claim verification | Manual cross-reference against provided evidence | Paste vendor claims → Aegisnode confirms or contradicts against scan data |
| Vendor cooperation required? | Yes — no questionnaire response, no assessment | No — scan runs without vendor knowledge or participation |
| Refresh frequency | At renewal or incident | Weekly (Pro) · Daily (Analyst) · Continuous (Command) |
| Setup time | Weeks (RFP, procurement, onboarding) | 30 seconds — enter a domain, get results |
| Sales call required? | Always (for enterprise tools) | Never |
Enterprise TPRM platform pricing data based on publicly available market research. SecurityScorecard list pricing for 50–200 vendors ranges from $25,000–$50,000 annually. BitSight starts at $20,000+ base. Aegisnode Pro is $99/month for 3 targets.
Hero Feature
No other self-serve tool does this.
Every TPRM assessment includes a moment where the vendor tells you something about their security posture. "We use TLS 1.2 everywhere." "All our ports are closed except 443 and 80." "We have no known breach exposure." "Our certificates are valid and auto-renewed."
These claims come in questionnaires. They come in emails. They come in sales calls with your procurement team. They come in SOC 2 summaries and security one-pagers. And until now, your options for verifying them were: trust the document, hire a penetration tester, or ask the vendor to send more documentation.
Claim Verification changes this.
Copy any security claim from a vendor questionnaire, email, or document. Paste it into Aegisnode's Claim Verification input.
Aegisnode runs a live external scan of the vendor's domain and compares your claim against what it actually finds. Certificate validity, HSTS headers, TLS configuration, open ports — all checked against the external surface.
Each claim comes back as one of three states:
Most TPRM tools give you a score. A letter grade. A risk rating. They do not give you evidence you can put in front of a vendor and say: "Your questionnaire says your certificate is valid. Our scan found it expired 31 days ago. Please explain."
That's what Claim Verification gives you. Specific, dated, external evidence. The kind that changes the conversation from "we trust you" to "show us."
Coverage
Every scan runs across the full attack surface — no categories skipped, no manual configuration required.
What's exposed to the internet and what's running on it — including services that shouldn't be public-facing.
Certificate validity, expiration status, chain integrity, and configuration quality across all subdomains.
SPF, DKIM, DMARC records, DNS misconfigurations, and subdomain exposure that creates phishing or takeover risk.
HSTS, Content-Security-Policy, X-Frame-Options, and other browser-enforced headers that signal web security posture.
Open CVEs matched against identified services and software versions running on the vendor's external infrastructure.
Known data breaches, leaked credentials, and dark web mentions associated with the vendor's domain and infrastructure.
Domain-based controls that prevent spoofing and phishing — a leading indicator of email security maturity.
The vendor's full external footprint — subdomains, cloud assets, and infrastructure that may carry risk you didn't know existed.
All categories scanned simultaneously. Results delivered in a single report — PDF download, JSON export, or API response, depending on your plan.
Transparency
We'd rather you understand exactly what Aegisnode does — and doesn't do — before you buy. Security tools that overpromise are a liability. Here's where our scope ends.
Aegisnode scans external surfaces. Internal controls — your vendor's access management policies, their change management procedures, their incident response plans — cannot be observed from outside. Questionnaires and documentation review still matter for that layer.
A scan is not a pen test. Aegisnode identifies exposed services and misconfigurations; it does not attempt to exploit them. For vendors handling critical data or infrastructure, a targeted penetration test by a qualified firm remains the appropriate tool.
Data processing agreements, liability clauses, SLA terms, right-to-audit provisions — these are outside our scope. Aegisnode is the external verification layer. Your legal and procurement teams own the contract layer.
We can't see inside a vendor's firewall. We observe what's exposed externally. If a vendor's internal network is misconfigured but not exposed, we won't find it — and we won't pretend otherwise.
A clean Aegisnode scan does not mean a vendor is SOC 2 compliant, ISO 27001 certified, or meets any specific regulatory framework. It means their external attack surface shows no observed issues at the time of the scan. Those are related but distinct things.
Aegisnode scans publicly observable external data. Vendors are not notified, do not participate, and cannot influence scan results. This is by design. External signals are more reliable precisely because they cannot be curated.
Knowing what a tool doesn't do is as important as knowing what it does. If Aegisnode fits the external verification layer of your TPRM program, we'll deliver. If you need something else, we'll tell you.
Pricing
The median SecurityScorecard contract is $16,086 per year. BitSight starts at $20,000+ before you've assessed a single vendor. UpGuard begins at $20,000 annually for basic access.
Aegisnode Pro is $99/month. A one-time report is $79.
| Free | $0 | Try it — 3 scans/month, 1 target |
| Pro | $99/mo or $79/report | Teams doing periodic vendor assessments |
| Analyst | $249/mo or $499/report | Continuous monitoring of up to 10 vendors |
| Command | $599–$999/mo | Security teams managing 25+ vendors continuously |
You don't need a six-figure contract to verify that your vendor's certificate is valid. You don't need a sales call to find out they have an open port on port 3389. You don't need 90 days of procurement review to know that a new SaaS vendor has three unpatched CVEs on their public-facing infrastructure.
Aegisnode is designed for the team that doesn't have a dedicated vendor risk budget — or the team that does, and can't believe what they're spending it on.
A single one-time report is $79. That's it. No subscription required, no credit card on file for the free scan, no demo call to get access to pricing.
If you're assessing 3–10 vendors a month — the average for a TPRM analyst at a mid-sized company — $99/month buys you more external intelligence than most enterprise platforms deliver at 100x the price.
The math is simple. One year of Aegisnode Pro costs $1,188. The annual cost of a single TPRM analyst, at industry average, is $116,000. Aegisnode doesn't replace that analyst — it gives them back weeks of their year to do the work that actually requires human judgment.
The Founder
Aegisnode was built by a CISSP/CISA-certified security professional who works in information security — not someone who studied vendor risk in theory, but someone who has reviewed vendor questionnaires, accepted documented risks, and filed incident reports when a third-party breach hit upstream.
The gap that Aegisnode fills — between what a vendor claims and what's externally observable — is not an abstract product insight. It's a daily frustration that exists in every TPRM program that relies on self-reported data.
That background informs every product decision: what the scan covers, how results are presented, what language is used, and what the tool explicitly doesn't claim to do. Security practitioners have sharp instincts for when a tool oversells. We'd rather earn trust by being specific about what we find and honest about what we can't see.
Every full report includes a CISSP/CISA-reviewed summary — not generated by a template, but reviewed by the same practitioner who built the platform. Because automated output and professional judgment are not the same thing.
CISSP · CISA · Built for practitioners · Verified by practitioners
The Registry
The Aegisnode Registry is a public database of external scan results — domains and IP ranges assessed by the platform, with findings available for review. Before you run your own scan, you may find your vendor is already in there.
The Registry is also the fastest way to understand what Aegisnode actually produces. Real scan output. Real findings. No demo environment, no sanitized screenshots. This is what your TPRM team gets on day one.
Public results are read-only. Full scans, reports, and Claim Verification require a free account or one-time report purchase.